Hi, Whenever I've coded my own JSP/Servlet pages to accept NTLM, I always trade in the successful NTLM auth for a session cookie. In other words:
#1. Browser gave me a good NTLM auth! #2. I give the browser a session cookie. #3. As long as browser uses that session cookie, then I consider the browser authenticated. I don't care about NTLM any more. If a new socket comes in, as long as it provides the session cookie, I'm happy. But maybe that's just me. Who knows how other servers out there do it. yours, Julius -----Original Message----- From: Roland Weber [mailto:[EMAIL PROTECTED] Sent: Sat 1/6/2007 2:26 PM To: HttpComponents Project Cc: Subject: Re: [HttpConn] connection management Hi Robert, > As far as I understand it, yes as long as that connection is open > all resources transferred are considered authenticated. Thanks! > NTLM is problematic since it works very differently from how http is > supposed to work. NTLM keeps state, http does not. > > The only way I have managed to get my proxy to handle NTLM connections > between the real server and the real client is to switch the proxy > to a dumb tunnel when NTLM is negotiated (otherwise another client might > reuse the same server connection and be authenticated). For a > proxy any accidental authentication inheriting is very bad, for a normal > browser/tool it is probably ok. For a browser it doesn't matter because it's acting for a single user. I'm not sure how we handle this in HttpClient right now. But I sure don't want that to happen accidentally in 4.0. > I suspect that there are lots of proxies that have problems when the > real server tries to use NTLM. The NTLM levels we can support are better not used outside of an intranet anyway ;-) cheers, Roland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
